Akira ransomware group targeting SonicWall SSL VPNs; zero-day feared

The Akira ransomware group is targeting SonicWall SSL VPN devices via a zero-day that compromised some of the VPNs despite already being patched, Arctic Wolf reported.

The researchers said the most recent uptick in ransomware activity began as recently as July 15, 2025, while similar malicious VPN logins were observed since at least October 2024.

According to Arctic Wolf, credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out.

However, given the high likelihood of the presence of a zero-day bug, the researchers said companies should consider disabling the SonicWall SSL VPN service until SonicWall makes a patch available.

Shane Barney, chief information security officer at Keeper Security, said Akira’s targeting of SonicWall SSL VPNs represents the latest in a series of attacks exploiting remote access infrastructure, either through previously unknown vulnerabilities, or compromised credentials.

Barney pointed out that in recent months, threat actors have increasingly focused on SonicWall VPNs, using stolen credentials to bypass authentication, abusing weak configurations or exploiting flaws that may not yet be publicly disclosed.

“Even fully patched systems can be vulnerable when a zero-day exploit is in play, and that’s what makes these attacks so difficult to defend against with traditional patching alone,” said Barney. “Security teams should assume that VPN infrastructure is being actively targeted and take steps to harden access.”

Boris Cipot, senior security engineer at Black Duck, said while patching systems is a crucial aspect of cybersecurity hygiene, it doesn't guarantee complete security. Cipot said even after applying patches, previously unknown vulnerabilities – zero-days – can still exist.

“The complexity of modern software means that new security vulnerabilities can be discovered by developers, customers, or in the worst-case scenario, attackers,” said Cipot. “Therefore, organizations developing software need to prioritize app security to ensure uncompromised trust in software, especially in todays regulated and AI-powered world. Similarly, all organizations using software must ensure that it’s properly patched, monitored, and configured to quickly respond to zero-day vulnerabilities and prevent attacks.”

Kevin Surace, chair at Token, said even when systems are fully patched, attackers gain access through the front door: using stolen or phished credentials. Although this strongly suggests a zero-day has been exploited, Surace said in many cases, the real weakness is identity.

“If users are authenticating with legacy MFA or passwords, attackers don’t need a zero-day,” said Surace. “They just need to trick one person into logging in for them. That’s the pattern we’re seeing again and again.”

Scott Walsh, principal security researcher at Coalition, added that in situations where there’s a zero-day when no fix is available, mitigation can really only take two forms: either disable the service completely or tightly restrict the IP addresses that are allowed to connect to the affected system.

“Both of these methods function to reduce the vulnerable attack surface,” said Walsh. “If an attacker can’t access the system via the vulnerability, they cannot attack it.”